mobbdev 0.0.22 → 0.0.24

package/README.md

@@ -1,26 +1,34 @@
 # Bugsy
 
-Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of [Mobb](https://www.mobb.dev), the first vendor-agnostic automatic security vulnerability remediation tool. Bugsy is designed to help developers easily identify and fix security vulnerabilities in their code.
+Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of [Mobb](https://www.mobb.dev), the first vendor-agnostic automated security vulnerability remediation tool. Bugsy is designed to help developers quickly identify and fix security vulnerabilities in their code.
 
-<img width="750" alt="Screenshot 2023-03-27 at 5 23 19 PM" src="https://user-images.githubusercontent.com/96389636/228070025-2a1c3aae-6b40-427f-a1e9-2b10ef97b5ea.png">
+<img width="1888" alt="Screenshot 2023-07-13 at 5 22 11 PM" src="https://github.com/mobb-dev/autofixer/assets/96389636/f1861bfe-c024-4976-aa57-8b6c1e2f4029">
 
 ## What is [Mobb](https://www.mobb.dev)?
 
-[Mobb](https://www.mobb.dev) is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, GitHub Advanced Security, and Snyk and produces code fixes for developers to review and commit to their code.
+[Mobb](https://www.mobb.dev) is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, CodeQL (GitHub Advanced Security), OpenText Fortify, and Snyk and produces code fixes for developers to review and commit to their code.
 
 ## What does Bugsy do?
 
+Bugsy has two modes - Analyze (the user has a pre-generated SAST report from one of the supported SAST tools) and Scan (no SAST report needed).
+
+Scan
+
 -   Uses Snyk CLI tool to run a SAST analysis on a given open-source GitHub repo
 -   Analyzes the vulnerability report to identify issues that can be remediated automatically
 -   Produces the code fixes and redirects the user to the fix report page on the Mobb platform
 
+Analyze
+
+-   Analyzes the vulnerability report to identify issues that can be remediated automatically
+-   Produces the code fixes and redirects the user to the fix report page on the Mobb platform
+
 ## Disclaimer
 
-This is a community edition version that only analyzes public GitHub repositories.
+This is a community edition version that only analyzes public GitHub repositories. Analyzing private repositories is allowed for a limited amount of time.
 Snyk CLI is used to produce a SAST vulnerability report.
 
--   Only Java projects are supported at the moment.
--   Only SQLi, CMDi, XSS, XXE, and Path Traversal are currently supported.
+-   Only Java and Node.js projects are supported at the moment.
 
 ## Usage
 

package/index.mjs

@@ -6,21 +6,24 @@ async function run() {
     const args = await parseArgs(hideBin(process.argv));
     const [command] = args._;
     if (command === 'scan') {
-        const { repo, branch, yes, scanner, apiKey } = args;
-        await scan(
-            { repoUrl: repo, branch, scanner, apiKey },
-            { skipPrompts: yes }
-        );
+        const { yes, ...restArgs } = args;
+        await scan(restArgs, { skipPrompts: yes });
     }
     if (command === 'analyze') {
-        const { repo, scanFile, branch, yes, apiKey } = args;
-        await analyze(
-            { repoUrl: repo, scanFilePath: scanFile, branch, apiKey },
-            { skipPrompts: yes }
-        );
+        const { yes, ...restArgs } = args;
+        await analyze(restArgs, { skipPrompts: yes });
     }
 }
 
 (async () => {
-    await run();
+    try {
+        await run();
+        process.exit(0);
+    } catch (err) {
+        console.error(
+            'Something went wrong, please try again or contact support if issue persists.'
+        );
+        console.error(err);
+        process.exit(1);
+    }
 })();

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mobbdev",
-    "version": "0.0.22",
+    "version": "0.0.24",
     "description": "Automated secure code remediation tool",
     "main": "index.mjs",
     "scripts": {

package/src/commands/index.mjs

@@ -2,9 +2,9 @@ import { z } from 'zod';
 import fs from 'node:fs';
 import chalk from 'chalk';
 import chalkAnimation from 'chalk-animation';
-import { choseScanner } from '../feature/analysis/prompts.mjs';
+import { choseScanner } from '../features/analysis/prompts.mjs';
 import { SCANNERS, mobbAscii } from '../constants.mjs';
-import { runAnalysis } from '../feature/analysis/index.mjs';
+import { runAnalysis } from '../features/analysis/index.mjs';
 import { sleep } from '../utils.mjs';
 import path from 'path';
 
@@ -13,65 +13,79 @@ const GITHUB_REPO_URL_PATTERN = new RegExp(
 );
 
 const UrlZ = z
-    .string({ required_error: 'Please Enter A Github Url' })
+    .string({
+        invalid_type_error: 'is not a valid github URL',
+    })
     .regex(GITHUB_REPO_URL_PATTERN, {
-        message: 'Invalid Github repository URL',
+        message: 'is not a valid github URL',
     });
 
-function handleScanErrorMessage({ error, repoUrl, command }) {
-    console.log('\n');
+function printRepoUrlErrorMessage({ error, repoUrl, command }) {
     const errorMessage = error.issues[error.issues.length - 1].message;
-    if (repoUrl) {
-        console.log(`Error: ${chalk.bold(repoUrl)} is ${errorMessage}`);
-    }
-    console.log(
-        `Example: \n\tmobbdev ${command} ${chalk.bold(
-            '-r https://github.com/WebGoat/WebGoat'
+    console.error(`\nError: ${chalk.bold(repoUrl)} is ${errorMessage}`);
+    console.error(
+        `Example: \n\tmobbdev ${command} -r ${chalk.bold(
+            'https://github.com/WebGoat/WebGoat'
         )}`
     );
 }
 
 export async function analyze(
-    { repoUrl, scanFilePath, branch, apiKey },
+    { repo, scanFile, branch, apiKey, ci },
     { skipPrompts = false } = {}
 ) {
-    const { success, error } = UrlZ.safeParse(repoUrl);
+    const { success, error } = UrlZ.safeParse(repo);
     if (!success) {
-        return handleScanErrorMessage({ error, repoUrl, command: 'analyze' });
+        printRepoUrlErrorMessage({
+            error,
+            repoUrl: repo,
+            command: 'analyze',
+        });
+        process.exit(1);
+    }
+    if (ci && !apiKey) {
+        console.error(
+            '\nError: --ci flag requires --api-key to be provided as well'
+        );
+        process.exit(1);
     }
-    console.log('scanFilePath', scanFilePath);
-    if (!fs.existsSync(scanFilePath)) {
-        console.log(`\nCan't access ${chalk.bold(scanFilePath)}`);
-        return;
+    if (!fs.existsSync(scanFile)) {
+        console.error(`\nCan't access ${chalk.bold(scanFile)}`);
+        process.exit(1);
     }
-    if (path.extname(scanFilePath) !== '.json') {
-        console.log(`\n${chalk.bold(scanFilePath)} is not a json file`);
-        return;
+    if (path.extname(scanFile) !== '.json') {
+        console.error(`\n${chalk.bold(scanFile)} is not a json file`);
+        process.exit(1);
     }
-    await showWelcomeMessage(skipPrompts);
-    await runAnalysis(
-        { repoUrl, scanFilePath, branch, apiKey },
-        { skipPrompts }
-    );
+    !ci && (await showWelcomeMessage(skipPrompts));
+    await runAnalysis({ repo, scanFile, branch, apiKey, ci }, { skipPrompts });
 }
 
 export async function scan(
-    { repoUrl, scanner, branch, apiKey },
+    { repo, scanner, branch, apiKey, ci },
     { skipPrompts = false } = {}
 ) {
-    const { success, error } = UrlZ.safeParse(repoUrl);
+    const { success, error } = UrlZ.safeParse(repo);
+    if (ci && !apiKey) {
+        console.error(
+            '\nError: --ci flag requires --api-key to be provided as well'
+        );
+        process.exit(1);
+    }
+
     if (!success) {
-        return handleScanErrorMessage({ error, repoUrl, command: 'scan' });
+        printRepoUrlErrorMessage({ error, repoUrl: repo, command: 'scan' });
+        process.exit(1);
     }
-    await showWelcomeMessage(skipPrompts);
+    !ci && (await showWelcomeMessage(skipPrompts));
     scanner ??= scanner || (await choseScanner());
     if (scanner !== SCANNERS.Snyk) {
-        console.log(
+        console.error(
             'Vulnerability scanning via Bugsy is available only with Snyk at the moment. Additional scanners will follow soon.'
         );
-        return;
+        process.exit(1);
     }
-    await runAnalysis({ repoUrl, scanner, branch, apiKey }, { skipPrompts });
+    await runAnalysis({ repo, scanner, branch, apiKey }, { skipPrompts });
 }
 async function showWelcomeMessage(skipPrompts = false) {
     console.log(mobbAscii);

package/src/{feature → features}/analysis/github.mjs

@@ -6,7 +6,7 @@ import { promisify } from 'node:util';
 import fetch from 'node-fetch';
 import extract from 'extract-zip';
 import Debug from 'debug';
-import { createSpinner } from 'nanospinner';
+import { Spinner } from '../../utils.mjs';
 import { GITHUB_CLIENT_ID, WEB_APP_URL } from '../../constants.mjs';
 const pipeline = promisify(stream.pipeline);
 const debug = Debug('mobbdev:github');
@@ -69,9 +69,10 @@ export async function getDefaultBranch(repoUrl, { token } = {}) {
 }
 
 export async function downloadRepo(
-    { repoUrl, reference, dirname },
+    { repoUrl, reference, dirname, ci },
     { token } = {}
 ) {
+    const { createSpinner } = Spinner({ ci });
     const repoSpinner = createSpinner('💾 Downloading Repo').start();
     debug('download repo %s %s %s', repoUrl, reference, dirname);
     const zipFilePath = path.join(dirname, 'repo.zip');

package/src/{feature → features}/analysis/index.mjs

@@ -1,7 +1,6 @@
 import chalk from 'chalk';
 import Configstore from 'configstore';
 import Debug from 'debug';
-import { createSpinner } from 'nanospinner';
 import fs from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
@@ -21,7 +20,7 @@ import { GQLClient } from './gql.mjs';
 import { githubIntegrationPrompt, mobbAnalysisPrompt } from './prompts.mjs';
 import { getSnykReport } from './snyk.mjs';
 import { uploadFile } from './upload-file.mjs';
-import { keypress } from '../../utils.mjs';
+import { keypress, Spinner } from '../../utils.mjs';
 
 const webLoginUrl = `${WEB_APP_URL}/cli-login`;
 const githubSubmitUrl = `${WEB_APP_URL}/gh-callback`;
@@ -51,37 +50,34 @@ const config = new Configstore(packageJson.name, { token: '' });
 debug('config %o', config);
 
 export async function runAnalysis(
-    { repoUrl, scanner, scanFilePath, branch, apiKey },
-    { skipPrompts }
+    { repo, scanner, scanFile, branch, apiKey, ci },
+    options
 ) {
     try {
         await _scan(
             {
                 dirname: tmpObj.name,
-                repoUrl,
+                repo,
                 scanner,
-                scanFilePath,
+                scanFile,
                 branch,
                 apiKey,
+                ci,
             },
-            { skipPrompts }
+            options
         );
-    } catch (err) {
-        console.error(
-            'Something went wrong, please try again or contact support if issue persists.'
-        );
-        console.error(err);
     } finally {
         tmpObj.removeCallback();
     }
 }
 
 export async function _scan(
-    { dirname, repoUrl, scanFilePath, branch, apiKey },
+    { dirname, repo, scanFile, branch, apiKey, ci },
     { skipPrompts = false } = {}
 ) {
-    debug('start %s %s', dirname, repoUrl);
-
+    debug('start %s %s', dirname, repo);
+    const { createSpinner } = Spinner({ ci });
+    skipPrompts = skipPrompts || ci;
     let token = config.get('token');
     debug('token %s', token);
     apiKey ?? debug('token %s', apiKey);
@@ -89,7 +85,7 @@ export async function _scan(
     await handleMobbLogin();
     const userInfo = await gqlClient.getUserInfo();
     let { githubToken } = userInfo;
-    const isRepoAvailable = await canReachRepo(repoUrl, {
+    const isRepoAvailable = await canReachRepo(repo, {
         token: userInfo.githubToken,
     });
     if (!isRepoAvailable) {
@@ -98,7 +94,7 @@ export async function _scan(
     }
 
     const reference =
-        branch ?? (await getDefaultBranch(repoUrl, { token: githubToken }));
+        branch ?? (await getDefaultBranch(repo, { token: githubToken }));
     const { projectId, organizationId } = await gqlClient.getOrgAndProjectId();
     debug('org id %s', organizationId);
     debug('project id %s', projectId);
@@ -107,14 +103,15 @@ export async function _scan(
 
     const repositoryRoot = await downloadRepo(
         {
-            repoUrl,
+            repoUrl: repo,
             reference,
             dirname,
+            ci,
         },
         { token: githubToken }
     );
 
-    const reportPath = scanFilePath || (await getReportFromSnyk());
+    const reportPath = scanFile || (await getReportFromSnyk());
 
     const report = JSON.parse(fs.readFileSync(reportPath, 'utf8'));
     await uploadFile(
@@ -127,7 +124,7 @@ export async function _scan(
     try {
         await gqlClient.submitVulnerabilityReport(
             uploadData.fixReportId,
-            repoUrl,
+            repo,
             reference,
             projectId
         );
@@ -139,7 +136,7 @@ export async function _scan(
     debug('report %o', report);
 
     const results = ((report.runs || [])[0] || {}).results || [];
-    if (results.length === 0 && !scanFilePath) {
+    if (results.length === 0 && !scanFile) {
         mobbSpinner.success({
             text: '🕵️‍♂️ Report did not detect any vulnerabilities — nothing to fix.',
         });
@@ -150,7 +147,6 @@ export async function _scan(
 
         await askToOpenAnalysis();
     }
-    process.exit(0);
     async function getReportFromSnyk() {
         const reportPath = path.join(dirname, 'report.json');
 
@@ -163,15 +159,18 @@ export async function _scan(
         return reportPath;
     }
     async function askToOpenAnalysis() {
+        const reportUrl = `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${uploadData.fixReportId}`;
+        !ci && console.log('You can access the report at: \n');
+        console.log(reportUrl);
         !skipPrompts && (await mobbAnalysisPrompt());
-        open(
-            `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${uploadData.fixReportId}`
-        );
-        console.log(
-            chalk.bgBlue(
-                '\n\n  My work here is done for now, see you soon! 🕵️‍♂️  '
-            )
-        );
+
+        !ci && open(reportUrl);
+        !ci &&
+            console.log(
+                chalk.bgBlue(
+                    '\n\n  My work here is done for now, see you soon! 🕵️‍♂️  '
+                )
+            );
     }
 
     async function handleMobbLogin() {
@@ -190,7 +189,6 @@ export async function _scan(
                 text: '🔓 Logged in to Mobb failed - check your api-key',
             });
             process.exit(1);
-            return;
         }
         const mobbLoginSpinner = createSpinner().start();
         if (!skipPrompts) {
@@ -214,7 +212,7 @@ export async function _scan(
             mobbLoginSpinner.error({
                 text: 'Something went wrong, API token is invalid.',
             });
-            process.exit(0);
+            process.exit(1);
         }
         debug('set token %s', token);
         config.set('token', token);

package/src/utils.mjs

@@ -1,4 +1,6 @@
 import readline from 'node:readline';
+import { createSpinner as _createSpinner } from 'nanospinner';
+import { PassThrough } from 'stream';
 export const sleep = (ms = 2000) => new Promise((r) => setTimeout(r, ms));
 
 export async function keypress() {
@@ -16,3 +18,13 @@ export async function keypress() {
         });
     });
 }
+
+export function Spinner({ ci = false } = {}) {
+    return {
+        createSpinner: (text, options) =>
+            _createSpinner(text, {
+                stream: ci ? new PassThrough() : undefined,
+                ...options,
+            }),
+    };
+}

package/src/yargs.mjs

@@ -24,6 +24,13 @@ const apiKeyOption = {
     describe: chalk.bold('Mobb authentication api-key'),
     type: 'string',
 };
+const ciOption = {
+    describe: chalk.bold(
+        'Run in CI mode, prompts and browser will not be opened'
+    ),
+    type: 'boolean',
+    default: false,
+};
 
 export const parseArgs = (args) => {
     const yargsInstance = yargs(args);
@@ -81,6 +88,7 @@ export const parseArgs = (args) => {
                     b: branchOption,
                     y: yesOption,
                     ['api-key']: apiKeyOption,
+                    ci: ciOption,
                 });
             },
         })
@@ -91,6 +99,7 @@ export const parseArgs = (args) => {
                 yargsInstance.showHelp();
             },
         })
+        .strictOptions()
         .help('h')
         .alias('h', 'help')
         .epilog(chalk.bgBlue('Made with ❤️  by Mobb'))